Articles in this section

Payload Development Basics

Key Croc payloads may be written in any standard text editor. From notepad on Windows to TextEdit on a Mac – even nano on Linux, the best text editor ever. These simple ascii files are processed by the Key Croc's payload framework. Payloads execute when the target types specified patterns of keystrokes. A payload can be as simple as saving keystrokes of interest, to an advanced array of attacks using multiple device emulation modes, complex pentest frameworks and specialized exploits.

Multiple payloads, each with a unique file name, may be loaded simultaneously from the Key Croc's udisk payloads folder.

Key Croc payloads are executed with bash, which means they can leverage this powerful shell scripting language. For example, conditional statements can be used to construct decision trees based on events, and text processing tools can be used to systematically extract typed key sequences of interest – storing them in variables for use later in the payload.

Payloads can take advantage of a number of Key Croc commands, in addition to the standard Linux tools, additional pre-installed tools like nmap and smbclient, or the optionally installed tools like metasploit, responder and impacket.

Command Overview

Basics

MATCH – specifies a pattern that must be typed to trigger payload execution

SAVEKEYS – saves next or last typed keys to a specified file when a MATCH is found

$TARGET_HOSTNAME – Host name of the target after executing an Ethernet ATTACKMODE

Note: The $LOOT variable is always available after MATCH triggers the payload. See the MATCH article for $LOOT details.

RELOAD_PAYLOADS

RELOAD_PAYLOADS

Will refresh the Key Croc framework with payload files from /root/udisk/payloads/

CHECK_PAYLOADS

CHECK_PAYLOADS

Will check the syntax of the payloads currently residing in /root/udisk/payloads/

RECORD_PAYLOAD

RECORD_PAYLOAD

Will parse each line entered, enabling interactive payload development with helpers.

ENABLE_PAYLOAD

ENABLE_PAYLOAD <payload_file_name>

Example

ENABLE_PAYLOAD my_payload.txt

Will enable the specified payload.

DISABLE_PAYLOAD

DISABLE_PAYLOAD <payload_file_name>

Example

DISABLE_PAYLOAD my_payload.txt

INSTALL_EXTRAS

INSTALL_EXTRAS

Will install additional third party software such as metasploit, impacket and responder to the /tools/ directory.

KEYBOARD

KEYBOARD

Will return PRESENT or MISSING depending on whether a keyboard is attached.

udisk

udisk [ mount | unmount | remount | reformat ]

WAIT_FOR_KEYBOARD_ACTIVITY

WAIT_FOR_KEYBOARD_ACTIVITY <refresh interval in seconds>

Example

WAIT_FOR_KEYBOARD_ACTIVITY 1

Will check for keyboard activity for each specified time interval, halting further payload execution until keyboard activity is detected. Example wait until there is keyboard activity within a 1 second window.

WAIT_FOR_KEYBOARD_INACTIVITY

WAIT_FOR_KEYBOARD_INACTIVITY <seconds of inactivity required>

Example

WAIT_FOR_KEYBOARD_INACTIVITY 300

Will check for keyboard inactivity, halting further payload execution until the specified time has elapsed with no keyboard activity. Example will wait until there have been no keypresses for 5 minutes (300 seconds)

WAIT_FOR_LOOT

WAIT_FOR_LOOT </path/to/file> (optional)<refresh interval in seconds>

Example

WAIT_FOR_LOOT /root/loot/captured_keys.txt 5

Will wait for the specified file to exist, or if already existing for the file line count to increase, halting further payload execution. Can be used in conjunction with SAVEKEYS NEXT, which will write the loot file when the number of specified keys have been typed. Example will wait until the captured_keys.txt file exists, checking every 5 seconds.